DoD building cyber workforce of the future

Jared Serbu, DoD reporter, Federal News Radio

It's a safe bet that no one in the Defense Department would argue that the U.S. military has completely solved the challenge of making sure its forces will dominate the future cyber battlefield as convincingly as its conventional forces handle air, sea or ground power today. But the progress toward that goal has been significant, experts inside and outside of government say.

Two years ago, U.S. Cyber Command was brand new. President Barack Obama ordered its creation to coordinate and synchronize the cyber activities of all the military services, including recruiting a top-notch workforce.

As Gen. Keith Alexander, the then-new commander of CYBERCOM told a House hearing in September 2010, recruiting that workforce was one challenge. Holding onto it in the face of the much higher salaries the private sector could offer was another.

"We're getting a lot of good folks," he told the House Armed Services Committee. "It's a privilege and honor to see the people we're getting. The question is how we retain them."

But two years into the military's workforce buildup, cyber commanders say their initial fears that cyber warriors would give up their military jobs in pursuit of bigger paychecks have turned out to be mostly a non-issue.

"We've exceeded my expectations, to be honest," Vice Adm. Michael Rogers, the commander of the Navy's Fleet Cyber Command told a subcommittee of the same Congressional panel almost two years later. "I think the thing that's surprised and heartened me the most is that increasingly these men and women view themselves as warriors. While our civilian counterparts offer a lot of opportunities, one thing they don't offer is the ability to be a warrior. The workforce really seems to crystalize around that idea."

For these and other reasons, Federal News Radio has rated the Obama administration as effective in creating a DoD cyber workforce of the future. The rating is part of our special week-long multimedia series, The Obama Impact: Evaluating the Last Four Years.

Rethinking strategies to recruit, retain

Lt. Gen. Michael Basla, who just took over as the Air Force's chief information officer, said his service had a similar experience.

"We've made it an operational domain. It's a warfighting domain. The folks involved in that understand that and want to be part of the fight," Basla said in an interview with Federal News Radio. "I have talked to warfighters like our fighter pilots, and they talk about having both kinetic and nonkinetic options for each of their targets. When you get that kind of mindset, the troops in the field who are providing this cyber capability get pretty excited. We haven't had any retention problems that I've seen."

Gen. Keith Alexander, commander of CYBERCOM

Knowing they can't compete with the private sector on salary, the military services have calibrated their cyber recruiting and training strategies to emphasize benefits that don't show up in black-and-white on a leave and earnings statement, like training opportunities and operational experiences they can't find with industry.

"The money's better on the outside. Got it. But when you're working with the right authorities here, you can do a lot of things that will get you put in jail on the civilian side," Skip Runyan, the technical director for the Air Force's 39th Information Operations Squadron told Federal News Radio in a recent interview. "In the Air Force model, we've trained a lot of pilots that end up working for the airline industry. So there's always going to be a draw to the private sector, but a lot of those pilots we've trained have also gone on to be four-star generals. We're looking for that same career progression for our cyber officers and enlisted personnel."

Changes in oversight and governance from the Pentagon have helped with the workforce effort, according to Alan Paller, research director at the SANS Institute.
He said up until about a year ago, the headquarters element of the Defense Department focused on exactly the wrong evaluation criteria for recruiting and maintaining its cyber workforce: compliance with certification and accreditation paperwork rather than real-world warfighter capability.

"The people they highlighted were people with what we call soft skills. Good writing. Good talking. Everything except actually being able to secure a computer," he said.

Requiring technical skills

After what Paller characterized as a behind-the-scenes battle between the Pentagon and on-the-ground cyber warfighters in U.S. Cyber Command and the military branches, that paradigm changed.

"Then they went ahead and did it right," he said. "The Air Force really is in the lead, but the Navy is right there with them and now the Army is catching up, and they're all focused on mission-critical skills. When you take the best military training right now, you get really technical, hands-on, hard-nosed skills. The headquarters people have discovered after a lot of feedback from the field that they had been doing it wrong. They're now looking at measuring proficiency instead of book learning, and I'm very impressed."

While the military services all have their own specific training responsibilities and missions-for cyber warriors, Alexander, the head of Cyber Command, has also emphasized the need for joint training so that when cyber warriors are tasked with a mission they're all trained to the same standards regardless of the uniform they wear.

"Our vision is to help to establish a very robust cybersecurity workforce development and certification program that will help prepare DoD cyber warriors to operate and defend our networks in an increasingly threat-based environment," said Henry Sienkiewicz, DISA's vice chief information assurance executive. "As we move the Department of Defense into a joint information environment, that whole environment needs to be able to be supported by consistent, repeatable behaviors. There are going to be service-specific attributes, and we clearly know that. The services are doing a great job on training their cyber workforce. We just know that DISA and our cyber partners, including the National Defense University, have really important roles in helping to augment that training and setting some of those standards."

The operational training framework will be organized around 42 specific roles in the DoD workforce. The first focus is on members of the Defense workforce who are specifically tasked with computer network defense, said Roger Greenwell, DISA's director of field security operations.

"And as we look at the various roles that an individual would play, we're making determinations about what's the appropriate training, what's the knowledge, what's the ability of each person in those specific roles, and we're working toward the development of more modularized training," he said. "That training can then be leveraged across each specific role, or in some cases, a training module may be more appropriate to different roles entirely."

Alexander has told Congress and public forums that another top workforce priority is to better integrate the capabilities of the offensive and defensive sides of the military's cyber workforce.

A numbers problem

And even though retention challenges have been less troublesome than initially feared and the military has begun to build effective training frameworks, DoD still is struggling to recruit and train the sheer volume of qualified cyber warriors it believes it needs.

"At present, we are critically short of the skills and the skilled people we as a command and a nation require to manage our networks and protect U.S. interests in cyberspace," Alexander told the Senate Armed Services Committee in March.

Paller agreed that while the quality and organization of the training pipelines have been significantly improved in recent years, the bandwidth of that pipeline is still far too small.

"Full understanding of this has come about just in the last six months," he said. "When it became public that the United States had been behind Stuxnet, it became acceptable for other nations to [use similar weapons]. And we're much, much more vulnerable than other nations are. Iran's centrifuges weren't connected to the Internet, but no matter what you hear, our power systems and a number of other things are connected to the Internet."

Top-notch cyber threat "hunters" and "tool builders" still are in short supply, Paller said.

"We probably have fewer than 800 of them in the entire country. China probably has 40,000 of them."

Basla, the Air Force CIO, said because his service faces fiscal constraints, it has to make tough decisions about personnel, it's important to zealously guard the elite cyber professionals it's built up so far.

That hasn't always happened, he said.

"In some force shaping measures over the past few years, we had to reduce our end strength, and we did it across-the-board without paying attention to the different capabilities that the airmen represented," he said. "It was a fair way to do it, I'll say that, but we didn't have the fidelity we needed to say, 'Hey, we've only got a handful of folks with this kind of skill. We need to protect them.'"